About Us. Overview Integrity Audit Fighting Malicious & Deceptive August 13, 2014

Transcription

1 2014 Integrity Audit Fighting Malicious & Deceptive August 13, 2014 Craig Spiezle Executive Director & President, OTA Mike Jones Director of Product Management, Agari About Us The Online Trust Alliance (OTA) is a 501c3 charitable nonprofit with the mission to enhance online trust and empower users, while promoting innovation. Goal is to help educate businesses, policy makers and stakeholders while developing and advancing best practices and tools to enhance the protection of users' security, privacy and identity. OTA supports collaborative public-private partnerships, benchmark reporting, meaningful self-regulation and data stewardship All rights reserved. Online Trust Alliance (OTA) Slide 2 Overview Background 2014 Online Trust Honor Roll Top Level Findings Trust Scorecard Highlights Either DKIM or SPF Both DKIM or SPF Subdomains SPF & DKIM DMARC TLS Summary Best Practices 2014 All rights reserved. Online Trust Alliance (OTA) Slide 3 1

2 Honor Roll Overview Analysis of ~800 web sites FDIC Banking 100 Internet Retailer 500 Top 50 Social Top 50 News/Media (introduced in 2014) Top 50 Federal Gov t OTA Members Scoring Up to 100 points in each category Bonus points for emerging practices Penalty points for Data loss incident Security Brand Protection Fines/settlement Failure to follow established practices Honor Roll = 80% of total points, 55% or better in each category 2014 All rights reserved. Online Trust Alliance (OTA) Slide 4 Privacy Why Care It is widely accepted that when organizations implement SPF, DKIM and DMARC across all of their outbound streams they achieve three major benefits: 1. Increased protection from consumers receiving malicious and fraudulent 2. Improved brand reputation protection 3. Enhanced deliverability of legitimate into users inboxes 2014 All rights reserved. Online Trust Alliance (OTA) Slide 5 Brand Protection - Eauth Authentication SPF: Path-based. Sender publishes list of authorized servers. receiver checks if server is authorized to send for domain. DKIM: Signature-based. Sender inserts signature into . receiver checks signature regardless of source. DKIM+SPF = Resilient authentication infrastructure Slide 14 2

3 Complementary Standards SPF DKIM Path-based (RFC 7208) Authorized servers published via simple DNS record Very low deployment cost Forwarding breaks SPF Signature-based (RFC 6376) Requires cryptographic operation by gateways Public keys published via DNS Can survive forwarding Is the messenger (server) permitted? Is the signature authentic? Slide 7 Complementary Standards SPF Path-based (RFC 7208) Authorized servers published via simple DNS record Very low deployment cost Forwarding breaks SPF Is the messenger (server) permitted? DMARC Overlay Leverages SPF and DKIM as authentication mechanisms Describes how to deploy SPF and DKIM consistency Visibility Describes new feedback mechanism Gives senders visibility into how receiver s process their Policy Senders can declare how to process auth-failing Specifies a DNS-based policy model that incorporating SPF + DKIM results DKIM Signature-based (RFC 6376) Requires cryptographic operation by gateways Public keys published via DNS Can survive forwarding Is the signature authentic? Slide 8 DMARC Value Domain Owners & Senders Receive: Enhanced brand protection Ability to communicate what to do with illegitimate Feedback loop to improve and monitor their authentication infrastructure Visibility on both the abuse of their domain and to optimize authentication across all domains and subdomains Receiving Networks & ISPs receive: Clarity for handling of un-authenticated & failing Uniform and scalable method to determine legitimacy Freedom to act on with confidence no more guessing Scalable methods to provide feedback to Domain Owners End Users Greater confidence of the channel and significant reduction in risk of phishing from DMARC domains. Slide 9 3

4 DMARC Policy Policy options: none simply monitor and supply feedback quarantine process with high degree of suspicion reject do not accept that fails DMARC check Policy discovery: Receivers extract the RFC5822.From domain, query DNS for TXT record: _dmarc.mail.sub.example.com If none found, extract and attempt Organizational Domain : _dmarc.example.com Method caps # of DNS lookups in DMARC policy discovery to 2 Slide 10 Why Care Combined SPF, DKIM and DMARC has helped to block hundreds of thousands of messages, helping to protect our customers from potential threats. DMARC is invaluable and promises to be one of the most noteworthy developments in the industry in the last decade. Sal Tripi, Assistant Vice President, Digital Operations & Compliance, Publishers Clearing House 2014 All rights reserved. Online Trust Alliance (OTA) Slide 11 Summary Passing Scores = SPF & TLD and DMARC 2014 All rights reserved. Online Trust Alliance (OTA) Slide 12 4

5 Highlights Only 8.3% have fully implemented SPF, DKIM and DMARC. on consumer facing brands. Authentication - Adoption of both SPF and DKIM rose across all sectors. Led by the IR100 with 88% adoption, the IR 500 showed the largest growth climbing from 56%. Top Level Domains (TLDs) vs Sub-Domains - SPF and DKIM adoption continues to grow primarily at delegated sub-domains, yet disappointingly, brands are failing to authenticate at the TLD. DMARC Adoption continues to rise in all sectors, but the growth must accelerate to help maximize consumer protection. Top 100 Internet Retailers (IR 100) - Continues to outpace all segments in adoption of SPF and DKIM, yet lag behind the FDIC 100 and Social 50 in adoption of DMARC indicating a missed opportunity All rights reserved. Online Trust Alliance (OTA) Slide 13 Highlights FDIC Highest failure rate caused by lack of authentication support (especially DKIM at their TLD). Social 50 - Top social sites including social networking, dating, gaming and document sharing sites received the highest score for DMARC adoption (36%). Social led all segments in DKIM adoption at their TLD outpacing the FDIC and IR 500 by over 2:1 Federal Government 50 - Consistently scored at the bottom of every authentication adoption metric. Only 4% passed, due in part to only 20% adopting DKIM at their TLD and only 6% publishing a DMARC record All rights reserved. Online Trust Alliance (OTA) Slide 14 Why Care DMARC dramatically reduced the number of forged s sent to our users. DMARC was a direct benefit to our users by blocking these impersonations. Josh Aberant, Twitter s Postmaster 2014 All rights reserved. Online Trust Alliance (OTA) Slide 15 5

6 Overview 2014 All rights reserved. Online Trust Alliance (OTA) Slide 16 Trends 5 Years of Growth 2014 All rights reserved. Online Trust Alliance (OTA) Slide 17 Trends Both - A Best Practice! Slide 17 6

7 TLD vs Subdomains - SPF 2014 All rights reserved. Online Trust Alliance (OTA) Slide 19 DKIM 5 Year Growth 2014 All rights reserved. Online Trust Alliance (OTA) Slide 20 TLDs vs Subdomains - DKIM 2014 All rights reserved. Online Trust Alliance (OTA) Slide 21 7

8 DMARC 2014 All rights reserved. Online Trust Alliance (OTA) Slide 22 DMARC - R/Q 2014 All rights reserved. Online Trust Alliance (OTA) Slide 23 Why Care Implementing DMARC stopped nearly 25 million attempted attacks on our customers. Not only is DMARC shutting down spoofed domain attacks, but it has also cut the overall volume of daily attacks in half since Trent Adams, Senior Advisor on security for PayPal and ebay Inc All rights reserved. Online Trust Alliance (OTA) Slide 24 8

9 Transport Layer Security (TLS) is effectively plain text open for anyone to eavesdrop. TLS offer encryption of your message while it is in transit Required between all the servers that handle the message including hops between internal and external servers. TLS is rapidly being adopted as the standard for secure . Key features : Encrypted Messages: Uses Public Key Infrastructure (PKI) to encrypt messages between mail servers. This encryption makes it more difficult for hackers to intercept and read messages. Authentication: Uses of digital certs to authenticate the receiving servers. Opportunistic TLS is accomplished when used by both sending and receiving parties to negotiate a secured SSL/TLS session and encrypt the message All rights reserved. Online Trust Alliance (OTA) Slide 25 Lessons Learned Your mailing environment is dynamic. Requires operational discipline. Needs operations, marketing, IT and security to work together. You need to test and monitor All rights reserved. Online Trust Alliance (OTA) Slide 26 Recommendations 1. Adopt a holistic strategy across all channels and domains including; 1) TLDs, 2) sub-domains, 3) parked domains and 4) domains that don t send Implement both SPF and DKIM for domains. Combined they provide coverage for the majority of use cases including mail forwarding. 3. Implement DMARC for all actively used domains, initially in monitor mode to obtain feedback and verify accuracy, and eventually to assert a reject or quarantine policy to receivers All rights reserved. Online Trust Alliance (OTA) Slide 27 9

10 Recommendations 4. Implement inbound authentication and DMARC to help protect employees and corporate data from spear phishing exploits. 5. Publish DMARC reject policies for parked domains and any domain not used for Continually monitor mail flows and keep records up to date. This includes DKIM key rotation and SPF record maintenance. Don't forget to monitor delegated domains 7. Implement opportunistic TLS to enhance users privacy and security of their while in transit. 8. Monitor domain registrations for look-a-like domains All rights reserved. Online Trust Alliance (OTA) Slide 28 Tools & Resources Integrity Audit Online Trust Honor Roll Charts Testimonials Security Data Protection & Breach Readiness Guide Craig Spiezle All rights reserved. Online Trust Alliance (OTA) Slide 29 10